2. FUNDAMENTACIÓN TEÓRICA
2.2. Marco Teórico Referencial 17
10.2.1. HIPAA Electronic Transmissions and Claims Transactions
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) defines an electronic health care transaction as “the transmission of information between two parties to carry out financial or administrative activities related to health care.” [42 CFR § 160.103] When engaging in electronic transactions, e.g.., to verify Medicaid eligibility or submit claims, Medicaid-participating school corporations and their billing agents must comply with HIPAA rules governing (1) electronic transactions and code sets (the “TCS Rule,” 42 CFR 162, et seq.), and (2) security of information transmitted electronically (“the Security Rule,” 42 CFR 164, et seq.). Just as the Security Rule requires protection of electronically transmitted health information, the HIPAA Privacy Rule requires safeguards for paper and other non-electronic health records.
However, individually identifiable health information in a student’s education record that is protected under the Family Educational Rights and Privacy Act (FERPA) is not subject to the HIPAA Privacy rule. Please refer to Section 10.2.2. for a discussion of HIPAA and FERPA privacy protections.
The TCS Rule requires the use of standardized national billing codes and modifiers in electronic health care transactions. The Security Rule sets out security standards for administrative, physical and technical safeguards of electronically transmitted individually identifiable health information. Required administrative safeguards include policies and procedures for identifying who may have access to electronic health records; physical safeguards concern placement of equipment; and technical safeguards focus on controlling access to computer systems or software and protected communications. School corporations that employ a billing agent to submit electronic claims on their behalf must require the billing company to comply with HIPAA TCS and Security Rule provisions. If the school corporation itself operates an electronic billing system or otherwise engages in electronic health care transactions, it must use HIPAA compliant transactions and code sets as well as safeguard electronic information in accordance with HIPAA security requirements.
The Centers for Medicare and Medicaid Services (CMS), U.S. Department of Health and Human Services, provides overviews and guidance on its TCS and Security Rules at the following web sites:
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityruleguidance.html
10.2.2. HIPAA versus FERPA Privacy Protections and Student Health Records A public school corporation or charter school that receives federal education funds is required, by the Family Educational Rights and Privacy Act (FERPA), to ensure that personally identifiable information from a student’s education record is not disclosed
Chapter 10: Program Compliance Section 2: HIPAA and FERPA
November 26, 2014 10-2-2
improperly. Similarly, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires health care providers to safeguard individually identifiable “Protected Health Information.” Both federal laws are clearly intended to protect individuals’ private health records from improper disclosure. As indicated in Section 9.2.1. above, Medicaid-participating public schools must comply with the HIPAA security rule when engaging in electronic health care transactions (for example, electronic data transactions to submit claims or verify eligibility/coverage), however, FERPA, not HIPAA, privacy requirements apply to non-electronically transmitted student education records,
including Special Education records, for purposes of disclosing individually identifiable information. (See also: Tool Kit Appendix G.)
The following excerpts are taken from the preamble to Final Rules addressing HIPAA privacy standards for individually identifiable health information. Federal Register Volume 65, Number 250 (12-28-2000).
“FERPA, as amended, 20 U.S.C. 1232g, provides parents of students and eligible students (students who are 18 or older) with privacy protections and rights for the records of students maintained by federally funded educational agencies or institutions or persons acting for these agencies or institutions. We have excluded education records covered by FERPA, including those education records designated as education records under Parts B, C, and D of the Individuals with Disabilities Education Act [IDEA] Amendments of 1997, from the definition of protected health information. For example, individually identifiable health information of students under the age of 18 created by a nurse in a primary or secondary school that receives federal funds and that is subject to FERPA is an education record, but not protected health information. Therefore, the privacy regulation does not apply. We followed this course because Congress specifically addressed how information in education records should be protected in FERPA.
We have also excluded certain records, those described at 20 U.S.C. 1232g(a)(4)(B)(iv), from the definition of protected health information because FERPA also provided a specific structure for the maintenance of these records. These are records (1) of students who are 18 years or older or are attending post-secondary educational institutions, (2) maintained by a physician, psychiatrist, psychologist, or recognized professional or paraprofessional acting or assisting in that capacity, (3) that are made, maintained, or used only in connection with the provision of treatment to the student, and (4) that are not available to anyone, except a physician or appropriate professional reviewing that record as designated by the student. Because FERPA excludes these records from its protections only to the extent they are not available to anyone other than persons providing treatment to students, any use or disclosure of the record for other purposes, including providing access to the individual student who is the subject of that information, would turn the record into an education record. As education records, they would be subject to the protections of FERPA.”
“While we strongly believe every individual should have the same level of privacy protection for his/her individually identifiable health information, Congress did not provide us with authority to disturb the scheme it had devised for records maintained by educational institutions and agencies under FERPA. We do not believe Congress intended to amend or preempt FERPA when it enacted HIPAA.
Chapter 10: Program Compliance Section 2: HIPAA and FERPA
February 28, 2013 10-2-3
With regard to the records described at 20 U.S.C. 1232(g)(4)(B)(iv), we considered requiring health care providers engaged in HIPAA transactions to comply with the privacy regulation up to the point these records were used or disclosed for purposes other than treatment. At that point, the records would be converted from protected health information into education records. This conversion would occur any time a student sought to exercise his/her access rights. The provider, then, would need to treat the record in accordance with FERPA’s requirements and be relieved from its
obligations under the [HIPAA] privacy regulation. We chose not to adopt this approach because it would be unduly burdensome to require providers to comply with two different, yet similar, sets of regulations and inconsistent with the policy in FERPA that these records be exempt from regulation to the extent the records were used only to treat the student.”
Information published by the National Association of School Nurses states, “school districts that bill Medicaid,” or otherwise do business with an entity covered by HIPAA, ‘are encouraged to employ HIPAA privacy standards, even if they are not required to do so by law. Such compliance demonstrates the district’s respect for the sensitivity and confidentiality of student health information, augments their procedural compliance with FERPA, and enhances trust and communication among schools, parents, students, and health care providers.” Included below are suggested practices (from Guidelines for Protecting Confidential Student Health Information
• Distribute individualized 504, education and health care plans to staff only as necessary to communicate the health and safety need of the student named therein, instead of circulating a list of students with their medical conditions.
, ASHA), which schools may adopt to safeguard protected health information from inadvertent/unauthorized disclosure.
• Handle health information obtained from students and families in a private, confidential manner. For example, conversations with students and families should occur in private, and when talking with families on the telephone, make calls from a private office. Staff opening mail and handling faxes should be educated about the importance of securing private health information and not leaving it open on desks or fax machines. Typed information and information on computer screens should be covered or positioned to protect it from casual observers.
• Store student health information in locked file cabinets and secure computer files with restricted access. FERPA {Sec.99.32(a)(1)} requires that each record have an access log, stating the name and title of the person receiving the information, the date of access, and the ‘legitimate interest’ for requesting the information. Although this does not apply to the person who created the record, it does include other school staff, and for any record that is copied or released to individuals outside the school, there must be a written parental consent for and description of the nature of the disclosure.
• Individual school health records that are transferred to another school should be sealed in an envelope labeled “CONFIDENTIAL for School Nurse” and included with the education record.
See also:
Chapter 10: Program Compliance Section 3: False Claims Act
March 29, 2011 10-3-1